Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:26 PM
Connect Directly

Security Firms Face Crisis Of Trust

Mikko Hypponen reflects on shift toward rampant government spying and use of malware -- and targeted attack attempts on F-Secure

Arguably the most high-profile speaker to boycott the 2014 RSA Conference in San Francisco last week in the wake of allegations that RSA Security entered into a private contract with the National Security Agency was renowned security expert Mikko Hypponen, chief research officer for Finnish security firm F-Secure.

RSA Conference 2014
Click here for more articles about the RSA Conference.

Hypponen -- who was the first speaker to cancel his talk from the conference after Reuters reported in late December that RSA Security had a secret pact with the NSA to use weak encryption technology in its products -- had not spoken publicly about his decision until last week at an F-Secure press luncheon, as well as at TrustyCon, a privacy-themed protest conference held next door to the RSA Conference.

"It's about trust. The main reason I canceled my talk at RSA was that I felt they weren't trustworthy anymore. Security companies like ours our built on trust," Hypponen told a group of journalists at his annual press luncheon in San Francisco last week. "If we lose that trust, there really isn't anything else."

[RSA Security executive chairman Art Coviello addressed publicly for the first time the security company's relationship with the NSA and its cyberdefense arm. See Coviello: RSA Security's Work With NSA 'A Matter Of Public Record'.]

Hypponen said he doesn't expect things to change much at all when it comes to the wave of allegations of NSA surveillance that came from NSA documents leaked by former contractor Edward Snowden. "Nothing has really happened" since the allegations about RSA, he said. Hypponen said he didn't attend RSA Security executive chairman Art Coviello's keynote address last week, during which Coviello said RSA's relationship with the NSA mainly has entailed working with NSA's Information Assurance Directorate (IAD), the cyberdefense arm of the agency.

"I'm glad Art addressed this. That's good," he said, noting that he had read some of the speech. But his keynote didn't confirm whether RSA was complicit in NSA spying, he said: "What I gathered from his talk was that they weren't complicit -- they were just incompetent, if that's supposed to make us feel any better."

RSA's Coviello stopped short of specifically addressing details about reports that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in its Bsafe software to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. In a blog post after the Reuters story ran, RSA said it had not "entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Coviello called for privacy reform and said the NSA "missed the opportunity" to provide transparency of its operations. "If they need to encroach on privacy in some form or fashion, it needs to be strictly governed, and so people feel comfortable about that process, it needs to be transparent so people can get visibility into how that governance model is actually being acted upon," he said in an interview with Dark Reading after his keynote. "The NSA missed the opportunity to give people that transparency. A lot in the press about the NSA is just not accurate."

Hypponen said there has been a relatively rapid mind-set shift to accepting the premise that all governments are involved in cyberespionage and using malware to do their spying. "That change has been very quick," he said. "If someone had told me in 2003 that governments would use malware and attack other governments, friendly governments, or would own the IT sector ... that would have been really far out. But that's exactly what happened."

Security firms themselves are becoming legitimate military targets, Hypponen said. "We are targets because we make technical contributions to military action by blocking [nation-state attacks]," he said. "That's not really what I signed up for in 1991" when I started in security, he said.

F-Secure, like other firms, has been targeted by nation-state type attackers. "We've had a handful of detections," Hypponen said, acknowledging that there could be others that have not been detected. He said in one case, a new F-Secure board member was targeted with a phishing email that came with a watering hole-rigged URL. F-Secure's gateway proxy stopped the board member from visiting the site; he reported it to the IT department, which then investigated the source and found it was actually from China rather than the U.S. as it had purported. "We got lucky," he said of the attempted attack.

And two months ago, the firm spotted an attack that used F-Secure's name with an extra hyphen in the domain name in an attempt to target one of its customers.

Hypponen noted that Sweden is among one of the more high-profile players in cyberespionage and, like the U.S., is relatively transparent about peering at foreign data that passes through its nation. Hypponen said his native Finland -- which has a long and proud tradition of being privacy-centric -- is trying to get into the act as well. The Finnish military intelligence agency and law enforcement have begun lobbying politicians in Finland to loosen privacy laws that prevent them from spying. "We [F-Secure] are lobbying for the first time and trying to convince lawmakers that we would be shooting ourselves in the foot by changing our privacy laws," he said.

Meanwhile, security firms still aren't getting much better at detecting APTs, he said. "We [the industry] still suck. It's very hard -- that's why we suck. They have serious resources behind it," he said.

Rick Howard, CSO at Palo Alto Networks, says the industry, indeed, has been focused on APTs, but there are all types of adversaries. "[Attackers] are getting smarter, but they don't have unlimited resources," he says. The battle just goes on between attackers and their targets, according to Howard.

Java Threats Dropping
Hypponen revealed that F-Secure's new threat report (PDF) for the second half of 2013 found Java attacks on the decline. While Java remains a popular vehicle for attackers, it accounted for about 26 percent of reported attack vectors. According to F-Secure's report, the drop may be due to the October arrest of the alleged writer of the BlackHole and Cool exploit kits.

"No one really knows why [Java attacks went down]," Hypponen said. And although Paunch was arrested in Russia for writing the toolkits, it's unclear whether he will actually be sentenced in the end, he said.

According to F-Secure, malicious websites, malvertising, rigged software from shared sites are the most common infection vectors for victims.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2014 | 5:20:28 AM
re: Security Firms Face Crisis Of Trust
1.) Java install now requires mandatory whitelisting as opposed to previous security add of optional blacklisting. Java has always been a fool's choice; even more so as its being depreciated by its current owner, Oracle. Transfer of Java ownership to FOSS or to IBM (a major Java fanboy) would go a log way to reviving it.
2.) Phishing (Spear Phishing): executives and IT managers requiring full admin rights. (Rem Vista that senior IT managers had log in to Server to do power user stuff on their desktop.) Target: how does a billing query get access to software deployment tools?
3.) IoT. Hawuei was putting backdoors into the backbone routers it built for Cisco. We've had exploits from hacked pronters for many years now. Recently an infected refrigerator was found to be a spambot. Recently hackers have shown how simple it was to take over a car computer. (The missing Malay flight apparently executed its divergent turn under flight computer control.) And almost all of our electronics is manufactured in China. Phones and tablets inherently allow wireless provider and manufacturer (Chinese) takeover. Add to that software (or OS like Windows 8) that binds phone/tablet to all your devices, desktop et al, and hacking is not your worst scenario.
4.) Perhaps I read Tom Clancy conspiracy books, but a hack on NYSE or NASDAQ deleting ownership records and transferring stock/futures ownership offshore may cost $ Trillions. Or its the TV shows where spy gets dressed up like janitor or IT person; consider what high school dropout tech support grunt Snowden did to NSA. The military harps on physical security and blocking all binary access to critical systems.
5.) Most server systems I've known (400+) do not run anti-malware, USB ports are enabled and autorun (funny stories about that). Could you find an MK802 sized device set up to monitor your network? (hint: thermal adhesive.) So how did the State of Wisconsin IT find out about the rogue router in the Governor's Office?
User Rank: Ninja
3/8/2014 | 1:27:36 PM
re: Security Firms Face Crisis Of Trust
the computer industry as a whole has a complete credibility problem as far as security goes. "Computer Security" means less than "Honest Politician". this has resulted from the drunken cow-town stampede that started with the 1980s and has continued into the computers that are most widely used today. a better approach is required for the use of computers in commercial applications. Industry is reluctantly accepting the truth that the status quo is un-acceptable. As a result we will see a correction,-- and as usual the "failure to adapt to change" will result in the demise those who either do not see or are just stubborn.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...